• Tag : Firewall

 
 

Macro-Segmentation Service deployment in a Brownfield Environment

Description This document presents how Arista Macro-Segmentation Service (MSS) can be deployed in a brownfield environment with a mix of non-Arista switches. This solution targets a VXLAN based network where both Arista and non-Arista Virtual Tunnel Endpoints (VTEPs) share the overlay reachability using the EVPN control plane.The following figure depicts such setup: In order to enable security enforcement with MSS, the user can put the resources that they would want to protect behind Arista VTEPs and express the security objectives using firewall policies. Moreover, this feature allows the user to enable MSS in a multiple datacenter (DC) environment where a...
Continue reading →

Consistent Policy Enforcement and Multi-VRF support for Macro-Segmentation Service

Description This document presents Arista Macro-Segmentation Service (MSS) deployment in a network with multiple Virtual Routing and Forwarding (VRF) instances. MSS can ensure more granular segmentation within a VRF, either by attracting a subset of east-west traffic to the firewall or enforcing the security objective at the top-of-rack (TOR) switches. This document also explains the policy enforcement guarantee that MSS provides in the presence of switches with varying hardware resources. Summary of Enhancements This section briefly describes the enhancements made to the current set of MSS features in this release: MSS now can be enabled in a non-default VRF in...
Continue reading →

How to Enable Application Firewall on Arista Access Points

Introduction Arista Access Points include an Application Firewall feature, which allows you to define firewall rules at application level/Layer 7. This feature can be useful in corporate environments where the requirement is to either allow or block certain applications. The applications that the Arista APs are able to recognize can be broadly classified into the following categories. Messaging Proxy File Transfer Networking Web Services Remote Access VPN and Tunneling Database Network Monitoring Collaboration Games Streaming Media Streaming Media- Messaging Mail Social Networking Prerequisites Administrative access to CloudVision WiFi (CVW) / Wireless Manager (WM). Application Visibility should be enabled on the...
Continue reading →

Hardware based firewall

Description The hardware based implementation of the firewall uses a segment security model. In the segment security model, groups of interfaces, subnets, or IP prefixes are classified into segments. This allows for defining policies to govern the flow of traffic between a pair of segments called “from-segment” and “to-segment”. The policies define inter segment communication rules. For example, segment A can communicate with segment B over TCP port 80. By default, no communication is allowed between segments. Explicit rules are required to be configured to allow any communication between segments. However, communication is always allowed within the same segment. The...
Continue reading →

Arista Macro Segmentation Service (MSS) integration with Check Point Software Technologies Firewalls

Description This document explains how to configure and deploy Arista MSS with Check Point Software Technologies firewalls (henceforth will be referenced as just Check Point). The feature requires the use of Check Point Management Server (Gaia), a security management platform by Check Point, which allows central management of Check Point gateway security devices. Platform Compatibility The feature has been tested with the following Management Server and Gateway versions: Management Server Versions Version R80.30 with API version 1.5 (and above). In addition to this Management Server version, Check Point is provided a “hot fix” that provides a “Proxy API” ability which...
Continue reading →

Arista Macro Segmentation Service integration with Fortinet Firewalls

Description This document explains how to configure and deploy Arista MSS with Fortinet FortiGate firewalls (also called FortiGate: Next Generation Firewall or NGFW). The feature requires use of FortiManager, a security management platform by Fortinet, which allows central management of Fortinet Network Security devices, such as FortiGate firewalls. Platform Compatibility The feature has been tested with the following FortiManager and FortiGate versions: FortiManager Versions FortiManager 5.6.2 and 6.0.1 (and above) FortiGate Versions FortiGate 5.6.3, 5.6.4 and 6.0.0 build 5056 (Interim) (and above) FortiGate Hardware Types Arista MSS has been designed to provide security integration with data center class firewalls. FG100E...
Continue reading →

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: